I understand what he meant, I am saying that it would enable attackers to know the existence of a repository without access rights to it. You would be able to try random URLs like “unrealengine5” or “halflife3”, and by getting a login prompt, you would know that such a repository exists.
This isn’t dumb at all.
I just explained it - if it returned a different code than 404, you could automatically generate a list of private repositories for an organization by just probing all possible URLs. While not a real risk in the classical sense, it’s still private information. Everyone knows Epic has an UnrealEngine repo, but if Microsoft has a WindowsWithLinuxKernel repo, that’s probably not information they want to be public. Private means private.
Go to GitHub’s issue tracker to see other people say the same thing (one with the same Half-Life 3 example I jokingly gave above) : Private repositories should not return 404 · Issue #162 · dear-github/dear-github · GitHub
Can we go back to Linux discussions instead of feature requests for GitHub ?
What github should do is like what I said please login first (which is what most user perplexed when they click the UE4 github link - they found 404 error). And then when they login, they will find the repo. But if the repo doesn’t exist or inaccessible (private repo etc), then github can display 404 - it is good enough. No one mentioned about fixing the 404 error by returning a list of repo, even if they are private.
*You can’t ever have a different behaviour on a private repo and a non-existing repo because it confirms its existence and can be bruteforced. *
Are we done on this ? This isn’t the place to discuss the secucity and convenience of GitHub, especially for explaining the same thing over and over. Please ?
I have pm-ed someone on this matter… but basically the fix is just a matter of rewording:-
‘We cannot find the public repo (note that you have not logged in). If you are accessing a private repo, then please login first’.
So this way, if a user want to brute force to check if the repo exist, he/she has no idea whether the brute force actually result in something. So security-wise, it is still good.